Git er done.. securely.

Built with Discord Midjourney Bot
Built with Discord Midjourney Bot

Ok, so what’s the right posture for managing my Git credential workflow?

  • Dynamic creds are primo, static credentials are dumb.
  • Short-lived creds are muy bueno and long-lived creds are malo! If someone does gain access to your credential, it doesn’t do anyone any good for very long.
  • Authorize and authenticate access to credentials! Ie. Use a secure credential store.
  • Think least-privilege access to resources. If you are committing work to a repo, then your credentials should have enough to do basic development on a specific repo. No more, no less.
  • Try not to leave credentials in a file on disk. Your friendly bad actor wants your credentials in that directory.

The GitHub and GitLab CLIs.

# gh auth login -p https -w
? You're already logged into github.com. Do you want to re-authenticate? Yes
? Authenticate Git with your GitHub credentials? No

! First copy your one-time code: AEDC-AB0C
Press Enter to open github.com in your browser...
✓ Authentication complete.
- gh config set -h github.com git_protocol https
✓ Configured git protocol
✓ Logged in as danfedick
# cat ~/.config/gh/hosts.yml
────────────────────────────────────────────────────────────────────────
1 │ github.com:
2 │ oauth_token: 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
3 │ git_protocol: https
4 │ user: myusername

Note to GitHub CLI devs.

So, don’t use GitHub or GitLab?

Good ole’ Git — I have standards, you know…

  • Least-privilege credentials
  • Cached in a credential store and not on disk.
  • Short-Lived (as low as an hour)
  • Dynamic
  • AuthN/AuthZ to access credentials.
  • Part of my workflow. This auth process should work on the command line and in my IDE and not be so cumbersome that I do everything I can to circumvent it.

Thanks GitHub!

The best credential solution today for PE interaction.

  1. Generate a dynamic, short-lived fine-grained GitHub PAT: (The shortest token possible via the UI is 1 day.) This might get too cumbersome because it has to be done via the UI. I don’t know of a way to do this with REST API, yet. I can see moving this to a 7-day token given how we will manage that token.

HowTo — Let’s do this!

Step 1

open https://github.com/settings/tokens
Screenshot in opened web browser for Fine-grained tokens.

Step 2 — Setup repo-level attributes:

Fine-Grained Repository attributes

Step 3 — Store credential

### requires jq command
function set_token() {
ORIGIN=$(git remote get-url origin |tr "." " " |awk -F"/" '{print $4, $5}' |awk '{print $1,$2}')
ORG=$(echo $ORIGIN |awk '{print $1}')
REPO=$(echo $ORIGIN |awk '{print $2}')
EXIST=$(op item list --vault 'gh' --format=json | jq -re '.[] |select( .title == '\"$ORG/$REPO\"')'| echo $?)

echo "Enter the new token for ${ORG}/${REPO}: "
read token
echo "Enter the Expiration date YYYY-MM-DD: "
read expiry

if [[ $EXIST == 0 ]]
then
op item edit "${ORG}/${REPO}" \
--vault="gh" \
"credential=${token}" \
"expiration=${expiry}"
else
op item create \
--category="API Credential" \
--title="${ORG}/${REPO}" \
--vault="gh" \
"type=Bearer Token" \
"credential=${token}" \
"expires=${expiry}"
fi
}
### Get Token for Specific Repo
function get_token() {
ORIGIN=$(git remote get-url origin |tr "." " " |awk -F"/" '{print $4, $5}' |awk '{print $1,$2}')
ORG=$(echo $ORIGIN |awk '{print $1}')
REPO=$(echo $ORIGIN |awk '{print $2}')
op item get --vault "gh" $ORG/$REPO --fields label=credential |pbcopy
}

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store